With the proliferation of pervasive computing, the frontline of cyberwarfare and digital forensics has been migrated from desktop to more diverse and volatile computational environment, including the cloud and mobile devices. The excessive yet volatile data need to be acquired, transmitted, and analyzed in a timely manner, which makes existing forensic tools and technology inadequate. A sound digital forensics process in the cloud requires stronger mechanisms that enforce authentication and protect data integrity, with the consideration of cloud-specific facets.
In this chapter, we describe CloudForen, a framework that addresses the vulnerabilities of a forensic investigation process. The framework aims at (1) establishing a trustworthy relationship between forensic custodies and (2) transmitting forensic data as stream. To fulfill the first goal, two protocols are proposed to verify the integrity of computer platforms and grant/revoke privileges of custodies, respectively. The protocols harness the effectiveness of Trusted Platform Module (TPM) and Ciphertext-Policy Attribute-based Encryption (CP-ABE), which allow custodies in communication to authenticate the fingerprints of both platforms, as well as the roles of the custodies. To achieve the second goal, forensic data are transmitted between trusted custodies as streaming data, in which a unique fragile watermark is embedded. The advantages of using fragile watermark allows not only data integrity to be verified, but also malicious data manipulation to be localized. In addition, the watermarks are embedded into network packets to minimize communication overhead. Our experimental results demonstrate that CloudForen can achieve good scalability with limited overhead in an Infrastructure as a Service (IaaS) cloud computing environment.
